[kolp]

These Cloudflare WAF rules (not my creation) should help mitigate some of the threat by blocking TOR traffic, blocking bots and blocking datacenter IPs (eg bots running on a VPS). The rules are granular so you can tweak them when you start to identify the traffic sources of the bad actors.

You'll probably need to block entire ASNs. I assume most of your legitimate customers aren't using VPNs or eg DigitalOcean droplets to access your site.

https://webagencyhero.com/cloudflare-waf-rules-v3/

In addition, you should start looking for alternatives to PayPal in case they decide to drop you.

[aitchnyu]

Do western services ever offer two payment gateway options to the customer? Its common in India.

[toast0]

Yes. I buy things all the time from smaller vendors that support PayPal, Amazon Pay, maybe google/apple, as well as a direct credit card entry. Actually, even many large vendors offer a selection of payment options; I pay Walmart and I think BestBuy with PayPal because it's got my card saved and I don't want to get up and grab my wallet. PayPal has big issues if you're a small seller, but as a purchaser it's convenient.

I don't think I've seen vendors offer a choice of two different merchant accounts, but some do have multiple merchant accounts and select one or the other at time of billing; sometimes you can tell because it shows up a little different on the bill depending on the path, or more often because they send an announcement about trouble with billing and mention that it only affects some customers because they have two accounts.